The objective is to delete id stored in session after logout.
Note:
1. session_start() has been called at the start of the request
2. Error reporting is turned on
What I have tried:
After using the usual
unset
, if I
var_dump
, it appears to have truly removed the id, yet the same id is available on subsequent requests to other routes. This doesn't apply to unset alone, as I have observed when inserting on that request too
public function signout () {
unset($_SESSION['login_id'] );
$_SESSION['jhg'] = 6778;
return [];
}
The only way I was able to successfully clear the value was with this hack
$eds = array_filter($_SESSION, function ($k) {
return $k != 'login_id';
}, ARRAY_FILTER_USE_KEY);
$_SESSION = []; session_destroy();
session_start(); $_SESSION = $eds;
This works because I realized destroying the entire session is persisted across requests. That's the only operation on the superglobal that works on this particular request/route. Altering the session elsewhere works just as the docs say. What could be going on?